[ Resending with To trimmed. ] Hi!
On Tue, 2022-08-30 at 22:57:51 +0200, Guillem Jover wrote: > On Sun, 2022-08-28 at 14:40:44 +0200, Erik Auerswald wrote: > > On Sat, Aug 27, 2022 at 07:37:15PM +0200, Erik Auerswald wrote: > > > someone has described a remote DoS vulnerability in > > > many telnetd implementations that I just happened to > > > stumble over: > > > > > > https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html > > > > > > The vulnerability is a NULL pointer dereference when > > > reading either of two two byte sequences: > > > > > > 1: 0xff 0xf7 > > > 2: 0xff 0xf8 > > > > > > The blog shows GNU Inetutils' telnetd as vulnerable: > > > > > > https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html#remote-dos-inetutils > > This has been assigned CVE-2022-39028 (I think from the Debian pool), > after I reported it to the Debian security team. While it might have been nice to get this in the commit message, I think it would still be nice to add a reference in the NEWS. :) > > > [...] > > > In GNU Inetutils, the code lines to dereference table > > > entries without first checking for NULL are in lines > > > 321 and 323 of file "telnetd/state.c". The variable > > > "ch" declared in line 315 of this file needs to be > > > initialized to "(cc_t) (_POSIX_VDISABLE)", because it > > > may not be assigned any value if the table is not yet > > > initialized. > > > > > > References: > > > > > > line 315: > > > https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n315 > > > line 321: > > > https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n321 > > > line 323: > > > https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n323 > > > > > > I have attached a completely untested, not even compile > > > tested, patch to do this (just the code changes, no NEWS > > > or commit log or anything). Please test before committing. > > > > I have tested the patch now, it compiles and prevents the > > crash by preventing the NULL pointer dereference. > > Thanks, I included this the other day in an upload to Debian sid, and > I'm preparing updates for the Debian stable and oldstable releases too. Thanks, Guillem